Active Directory Configuration Setup Using Lifecycle ...

Active Directory Configuration Setup on 12G Servers Using Lifecycle Controller

Zhan Liu

Active Directory Configuration

This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. ? 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell, the Dell logo, and PowerEdge are trademarks of Dell Inc. Intel and Xeon are registered trademarks of Intel Corporation in the U.S. and other countries. Microsoft, Windows, and Windows Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. January 2013| Rev 1.0

Contents

Introduction ................................................................................................................ 3 Active Directory Configuration Workflow ............................................................................. 3 1. The Structure of the Active Directory Environment ........................................................... 3 2. Standard Schema or Extended Schema .......................................................................... 3 3. Set up Active Directory Service ................................................................................... 4 4. Set up the AD Attributes............................................................................................ 4 5. Check the Setting .................................................................................................... 5 6. Test the Setting ...................................................................................................... 6 7. Summary:.............................................................................................................. 6 Appendix A : Confirming the iDRAC7 has an Enterprise License Installed ....................................... 6 Appendix B : Build Active Directory Server ........................................................................... 8 Appendix C : Configure iDRAC for use with Active Directory Standard Schema.............................. 15 Appendix D : Test your Standard Schema Configuration ......................................................... 19 Appendix E : Sample WINRM Commands and Mapping to iDRAC GUI Display Names........................ 21 References ................................................................................................................ 35 Glossary ................................................................................................................... 35

ii

Active Directory Configuration

Introduction

Active directory (AD) simplifies the process of user account and privilege management. With AD setup, the credentials of AD will be used for all iDRACs, and it is not necessary to configure each credential for every iDRAC. These credentials can be used for iDRAC GUI, SSH login, and for running both WSMAN and RACADM commands from the CLI.

Integrated Dell Remote Access Controller v7 (iDRAC7) with Lifecycle Controller (LC) provides the capability to programmatically and remotely configure Active Directory (AD) for Dell PowerEdge 12th generation servers.

This Whitepaper [1] describes the tasks to manually set up the AD and give other useful information about setting up AD. This paper will not repeat those contents, but concentrate on remotely setting up AD with LC.

iDRACCard profile [3], provides the explanation about the iDRAC card attributes, including all AD? related attributes. For more information about the correct attributes of WSMAN commands, see iDRACCard profile [3],

This document describes the AD workflow by using the remote API that is exposed by the LC capability of Dell PowerEdge 12th generation servers. The goal of this paper is to provide clear steps to set up Microsoft AD on Dell 12G servers by using WS-MAN commands.

This document assumes that the customers are familiar with AD, Domain Controller, IP, DNS, DHCP, and Certification Service for Windows and AD manually set up for iDRACs. For more information about manually setting up AD for PowerEdge 12G servers, see Appendix B and C.

Active Directory Configuration Workflow

1. The Structure of the Active Directory Environment

The whole AD environment composes the following systems and services

Active Directory Server: A server that is running Microsoft Windows Server 2008 Enterprise with DNS, DHCP, Active Directory Domain Services, and Active Directory Certificate Service, which provides AD, DNS, and DHCP services.

Server(s): Dell PowerEdge server(s) (for example, R820) with iDRAC7. In which, iDRAC AD setup should be configured.

Client: A system that is running Microsoft Windows 7 with Internet Explorer 9 and winrm, on which, the winrm commands are run to configure Server(s).

Router: Connect the above three systems in a private network.

2. Standard Schema or Extended Schema

On the basis of application, two different schemasstandard and extended, can be chosen. The followings are the pros and cons for each schema. For more information about Schema, see [1].

Standard Schema:

3

Active Directory Configuration

Pros: Not having to extend the Active Directory schema

Cons: Active Directory group credentials must be entered for each iDRAC

Extended Schema:

Pros: Must configure only the Active Directory group credentials once for all iDRACs on the domain controller

Cons: An extension to the Active Directory schema, which is irreversible, is required.

3. Set up Active Directory Service

Before configuring the Active Directory for iDRAC, Active Directory service must be set up and the Enterprise License must be present. Check Enterprise License by following Appendix A. Active Directory service setup steps can be found in Appendix B and C. Dell strongly suggests to follow all the steps in Appendix B and Appendix C to setup the system, manually test it, and make sure it works before trying to use the WSMAN commands provided in this paper to setup AD. In this way, you can be sure the system is a working system. Then customer can try remotely setting up the iDRAC with the procedure stated in this paper. If Windows Server 2008 is used and the following is the setup for Active Directory service.

Domain name: ci.local FQDN: SCCM.ci.local Group Name: iDRACAdministrators DNS IP address: 192.168.0.100 iDRAC IP address: 192.168.0.120 User Name: admin If the customers select to use Standard Schema Static IP address

4. Set up the AD Attributes

The following attributes must be set.

a. NIC.1#DNSRegister = Disabled b. NIC.1#DNSDomainName = ci.local c. IPv4.1#Enable = Enabled d. IPv4Static.1#Address = 192.168.0.120 e. IPv4.1#DHCPEnable = Disabled f. IPv4.1#DNSFromDHCP = Disabled g. IPv4Static.1#DNS1 = 192.168.0.100 h. IPv4Static.1#DNS2 = 0.0.0.0

4

Active Directory Configuration

i. LDAP.1#Enable = Disabled j. ActiveDirectory.1#CertValidationEnable = Enabled k. ActiveDirectory.1#Enable = Enabled l. UserDomain.1#Name = ci.local m. ActiveDirectory.1#DomainController1 = SCCM.ci.local n. ActiveDirectory.1#Schema = Standard Schema o. ActiveDirectory.1#GlobalCatalog1 = SCCM.ci.local p. ADGroup.1#Name = iDRACAdministrators q. ADGroup.1#Domain = ci.local r. ADGroup.1#Privilege = 511

The values are shown for-example only. Customer must change to the values, which is appropriate to their system. For more information and the corresponding winrm commands, See "Appendix E: Sample WINRM Commands and Mapping to iDRAC GUI Display Names".

1. Before running the configuration wirnm commands, make sure that LC is ready and delete all pending jobs and pending values (refer to [4] section 33.2.3 and 33.2.4) as they may prevent further configuration changes,

2. By running the SetAttributes() method on the DCIM_IDRACCardService class, set up the above attributes. This can be done with one SetAttributes() command or multiple SetAttributes() commands.

3. An iDRAC Card job needs to be created in order for the changes to be committed. This can be done by using the CreateTargetedConfigJob() method on the DCIM_iDRACCardService class.

4. Start the system and wait for the job status to change to completion. After the job is 100% completed, upload the Certification to iDARC by using the SetPublicCertificate() method on the DCIM_LCService class to upload the certification created by customer when they set up their certification service.

For all the winrm commands, see "Appendix E: Sample WINRM Commands and Mapping to iDRAC GUI Display Names"

5. Check the Setting

The following sample WSMAN command can be run to check the values that customer just set in the above section. Before running this command, change the IP address to customer's iDRAC IP address, and then use the credential of iDRAC.

winrm enumerate "cimv2/root/dcim/DCIM_iDRACCardAttribute" -r: -u:root p:calvin -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic -format:pretty

All the AD?related attributes can be found in this output. Search for the AttributeName that the customer is interested in. For example, CertValidationEnable, a sample output is given here.:

DCIM_iDRACCardEnumeration

AttributeDisplayName = Certificate Validation Enable

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download